security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
21b559c97f2b53bf28345c337bfa187ed29f5535
sigma-rules/rules/network/discovery_potential_port_scan_detected.toml
T
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2024-01-17 14:14:38 -05:00

78 lines
2.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/05"
[rule]
author = ["Elastic"]
description = '''
This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a
target system or network for open ports, allowing them to identify available services and potential vulnerabilities.
By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts
from one source host to 20 or more destination ports.
'''
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
name = "Potential Network Scan Detected"
risk_score = 21
rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
severity = "low"
tags = ["Domain: Network",
"Tactic: Discovery",
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring"
]
type = "threshold"
timestamp_override = "event.ingested"
query = '''
destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["destination.ip", "source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.port"
value = 250
Reference in New Issue View Git Blame Copy Permalink